United States Patent and Trademark Office 



UNITED STATES DEPARTMENT OF COMMERCE 
I nilid Stall-, l'atint and Trademark Office 

Address: COMMISSIONER FOR PATENTS 



APPLICATION NO. 



FILING DATE 



FIRST NAMED INVENTOR 



ATTORNEY DOCKET NO. CONFIRMATION NO. 



10/729,814 12/C 

7590 

Frederick W. Gibb, III 
McGinn & Gibb, PLLC 
Suite 304 

2568-A RivaRoad 
Annapolis, MD 21401 



JP920030193US1 



CHOI, PETER H 



PAPER NUMBER 



DELIVERY MODE 



Please find below and/or attached an Office communication concerning this application or proceeding. 

The time period for reply, if any, is set in the attached communication. 



PTOL-90A (Rev. 04/07) 



l/ffflrC? nVrliUli Otfff Iff ids y 


Application No. 

10/729,814 


Applicant(s) 

BATRA ET AL. 


Examiner 

PETER CHOI 


Art Unit 

3623 





- The MAILING DATE of this communication appears on the cover sheet with the correspondence address — 
Period for Reply 



A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 
WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1 .704(b). 

Status 

1 )KI Responsive to communication(s) filed on 05 September 2008 . 
2a )□ This action is FINAL. 2b)^ This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 

Disposition of Claims 

4) ^ Claim(s) 1-15 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) ^ Claim(s) 1-15 is/are rejected. 

7) 0 Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) Q The specification is objected to by the Examiner. 

10) D The drawing(s) filed on is/are: a)D accepted or b)D objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 

1 1) D The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12) D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 119(a)-(d) or (f). 
a)D All b)D Some * c)D None of: 

1 .□ Certified copies of the priority documents have been received. 

20 Certified copies of the priority documents have been received in Application No. . 

3.Q Copies of the certified copies of the priority documents have been received in this National Stage 
application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 



Attach ment(s) 

1) ^| Notice of References Cited (PTO-892) 4) □ Interview Summary (PTO-41 3) 

2) □ Notice of Draftsperson's Patent Drawing Review (PTO-948) Paper No(s)/Mail Date. . 

3) □ Information Disclosure Statement(s) (PTO/SB/08) 5 ) □ Notice of Informal Patent Application 

Paper No(s)/Mail Date . 6) □ Other: . 



PTOL-T26 d (Rev e 08-06r 



Office Action Summary 



Part of Paper No./Mail Date 20081 125 



Application/Control Number: 10/729,814 Page 2 

Art Unit: 3623 

DETAILED ACTION 

1 . The following is a NON-FINAL office action upon examination of application 
number 10/729,814. Claims 1-15 are pending in the application and have been 
examined on the merits discussed below. 

Response to Amendment 

2. The response filed September 5, 2008, amended claims 1,3-11 and 1 3-1 5. 

3. The previous rejection of claims 6 and 8-1 1 raised under 35 USC 1 01 is 
withdrawn in view of the amended claims submitted September 5, 2008. 

Response to Arguments 

4. Applicant's arguments filed September 5, 2008 have been fully considered but 
they are not persuasive. 

Applicant argues that the Patrick reference indicated as reference 1-U in the 
previously provided 892 form and applied against the claimed invention is not valid prior 
art because it only includes a general copyright date of 2003. 

The Examiner agrees but notes that this reference is not the grounds under 
which the claimed invention was rejected. The claimed invention was actually rejected 
under "Secure Workflow Model", which was identified as reference 1-V in the previously 
provided 892 form, which has a 2001 copyright date and thus qualifies as valid prior art. 
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This is obvious because the 1-U Patrick reference is merely 8 pages, numbered 33-41 ; 
however, the body of the actual rejection includes citations of pages 73, 79, 96, etc. that 
could not possibly be in reference to the 1-U Patrick reference, and instead refer to the 
1-V Patrick reference. The Examiner regrets the typographical error and any confusion 
it may have caused. The updated office action below provides the correct rejection 
heading including the actual references applied while retaining the previous reference 
numbering/identification methodology (1-U, 1-V). 

Applicant argues that, as per page 4, lines 18-26 of the specification, a given 
workflow will not have any exposure if information that is produced is consumed by the 
very next stage. This is thought of as "just-in-time" production of inputs for the next 
stage. Exposure is avoided as information that is produced at any stage is consumed 
by the very next stage. To the contrary, if any workflow produces information that is 
unused for more than one step, information must be stored temporarily. In such a 
situation, security and resource overhead implications consequently exist and the 
claimed invention addresses such issues. 

In response to applicant's argument that the references fail to show certain 
features of applicant's invention, it is noted that the features upon which applicant relies 
(i.e., security and resource overhead implications) are not recited in the rejected 
claim(s). Although the claims are interpreted in light of the specification, limitations from 
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the specification are not read into the claims. 
USPQ2d 1057 (Fed. Cir. 1993). 
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See In re Van Geuns, 988 F.2d 1 181 , 26 



5. The following arguments presented by the Applicant have been considered but 
are moot in view of the new ground(s) of rejection. 

Applicant argues that the proposed combination of references does not teach or 
suggest basing cost functions upon the amount and duration of information exposed 
between processing steps of a workflow in order to identify the workflow that has the 
lowest exposure cost function. 

Applicant argues that Patrick is limited to disclosing an enhanced secure 
workflow, but is not directed to selecting between different workflows based upon an 
exposure cost measure. Applicant further argues that Patrick does not disclose that the 
exposure cost measure is "based upon, in part, details of critical information that is 
temporarily stored between processing steps within each of said possible workflows". 

Applicant argues that while Patrick does not teach or suggest calculating 
exposure cost measures in a cost minimization operation to evaluate which of a number 
of different workflows produces the lowest exposure cost measure, and further that 
Patrick does not base the evaluation upon whether data is temporarily stored between 
processing steps. 
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The Examiner notes that the arguments presented by the Applicant directed to 
"cost measures" and temporary storage of data have been newly amended to the claims 
and have been addressed in the updated rejection below. 

Official Notice 

Applicant has attempted to challenge the Examiner's taking of Official Notice in 
the Office Action mailed June 9, 2008. There are minimum requirements for a challenge 
to Official Notice: 

(a) In general, a challenge, to be proper, must contain adequate information 
or arguments so that on its face it creates a reasonable doubt regarding the 
circumstances justifying the Official Notice 

(b) Applicants must seasonably traverse (challenge) the taking of Official 
Notice as soon as practicable, meaning the next response following an Office Action. If 
an applicant fails to seasonably traverse the Official Notice during examination, his right 
to challenge the Official Notice is waived. 

Applicant has not provided adequate information or arguments so that on its face 
it creates a reasonable doubt regarding the circumstances justifying the Official Notice. 
Therefore, the presentation of a reference to substantiate the Official Notice is not 
deemed necessary. The Examiner's taking of Official Notice has been maintained. 
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Bald statements such as, "the Examiner has not provided proof that this element 
is well known" or "applicant disagrees with the Examiner's taking of Official Notice and 
hereby requests evidence in support thereof, are not adequate and do not shift the 
burden to the Examiner to provide evidence in support of the Official Notice. 

Regardless, the Examiner submits, as evidence, Michael zur Muehlen's 
"Workflow-based Process Controlling - Or: What You Can Measure You Can Control" 
(provided herein as reference 1-U) in support of the assertion that "using quantifiable 
methods to measure data describing the state or performance of a system or process, 
such as length, duration, or amount of an event or output, or a combination of multiple 
descriptive measures, is old and well known in the art." Muehlen teaches that workflow 
monitoring can also be divided into technical and organizational monitoring and can be 
used for performance measurement (e.g., response time, system load, etc.), and 
organizational monitoring measures the organizational efficiency (e.g., idle times, 
workload analysis, etc.) [page 62]. Muehlen also discusses that process monitoring is 
useful to measure the value of the IT investment necessary to improve the processes, 
and that the effects related to a workflow management system can be distinguished in 
monetary and non-monetary effects, including reduced processing times (personnel 
cost), reduced transport times (personnel and resource cost), and reduced storage 
costs (for paper archives) [page 65]. Muehlen also discusses uses information from the 
workflow audit trail and the timestamp of the activation, execution and completion or 
abortion of workflow activities to compute process cycle times, lay- and idle-times as 
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well as activity processing times and their deviations [pages 66 and 70]. Muehlen also 
discusses measuring the quality in terms of describing the efficiency of a resource, or 
the total output, measuring the effectiveness of a resource, and states that the cost, 
time and quality indicators of resources can be used within the role-based staff 
resolution, and that in this way, an activity may request the cheapest/fastest/most 
effective resource that satisfies certain qualification criteria [page 72]. Thus, the 
Examiner asserts that Muehlen discloses a plurality of examples in support of the 
Official Notice that "using quantifiable methods to measure data describing the state or 
performance of a system or process, such as length, duration, or amount of an event or 
output, or a combination of multiple descriptive measures, is old and well known in the 
art." 



Claim Rejections - 35 USC §112 

6. The following is a quotation of the first paragraph of 35 U.S.C. 112: 

The specification shall contain a written description of the invention, and of the manner and process of 
making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the 
art to which it pertains, or with which it is most nearly connected, to make and use the same and shall 
set forth the best mode contemplated by the inventor of carrying out his invention. 

7. Claims 1 -1 5 are rejected under 35 U.S.C. 1 1 2, first paragraph, as based on a 
disclosure which is not enabling. Subject matter critical or essential to the practice of the 
invention, but not included in the claim(s) is not enabled by the disclosure. See In re 
Mayhew, 527 F.2d 1229, 188 USPQ 356 (CCPA 1976). 



The claimed invention recites "critical information" that is used in calculating an 
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exposure cost measure for a workflow. The specification fails to disclose how 
information is deemed to be "critical", and how "critical" information is distinguished from 
"non-critical" information. Thus, it appears that the "critical information" is limited to a 
user's subjective determination of what is "critical" and what is "non-critical". The metes 
and bounds of the "critical information" are therefore unclear because the results of 
these comparisons and assessments are based on the complete subjectivity of a 
human user. The specification does not provide adequate written disclosure to enable 
an artisan of ordinary skill in the art to make and/or use the invention as intended by the 
Applicant since the invention could be utilized differently by each human user in light of 
differences in subjectivity among humans. 

Further, the metes and bounds of "critical information" is unclear because the 
criticality of information seems to be subjective; in other words, there is no objective, 
qualitative, or quantitative evaluation used to access how "critical" information is. 
Therefore, the criticality of the "critical information" is based on subjective evaluations. 
The reliance on a plurality of subjective measures renders the claimed invention 
indefinite. Thus, one of ordinary skill in the art would not be enabled to make, practice 
or use the claimed invention without undue experimentation. 

Further, the claimed invention recites that the exposure cost measure is "based 
upon, in part , details of critical information..." [emphasis added]. However, the 
specification merely mentions that "the exposure measure may be calculated based 
upon the amount of information that is exposed, or the duration for which that 
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information is exposed, or a combination of both" [page 2, lines 27-29]. The 
specification does not discuss the possible consideration of factors other than the 
amount and/or duration of information exposure. Thus, the use of other considerations 
other than the amount and duration of information exposure would not be enabled by 
the specification; therefore, one of ordinary skill in the art would not be enabled to make, 
practice or use the claimed invention without undue experimentation. 

Furthermore, assuming that other considerations beyond the temporarily stored 
critical information were enabled, the specification does not specify how these additional 
considerations would be combined with said temporarily stored critical information in 
order to calculate an exposure cost. For example, would the calculation be based on an 
equal or weighted combination of factors? How would the considerations be combined 
to yield an exposure cost measure? The metes and bounds of the basis of the 
calculation of an exposure cost measure is therefore unclear because the specification 
does not provide adequate written disclosure to enable an artisan of ordinary skill in the 
art to make and/or use the invention as intended by the Applicant since the invention 
could be utilized differently by each human user in light of differences in subjectivity 
among humans. 

8. The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 
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9. Claims 1 -1 5 are rejected under 35 U.S.C. 1 1 2, second paragraph, as being 
indefinite for failing to particularly point out and distinctly claim the subject matter which 
applicant regards as the invention. 

10. Claims 1, 6, and 7 recite an exposure cost measure being based upon, in part, 
details of "critical" information. The term "critical" is a relative term which renders the 
claim indefinite. The term "critical" is not defined by the claim, the specification does not 
provide a standard for ascertaining the requisite degree, and one of ordinary skill in the 
art would not be reasonably apprised of the scope of the invention. Specifically, the 
claims and specification do not provide guidance to determine what is considered 
"critical" information. 

Further, the claimed invention recites that the exposure cost measure is "based 
upon, in part , details of critical information..." [emphasis added]. However, it is unclear 
how other considerations other than the amount and duration of information exposure 
would be used in the calculation of an exposure cost measure. For example, would the 
calculation be based on an equal or weighted combination of factors? How would the 
considerations be combined to yield an exposure cost measure? The specification 
does not specify how other considerations affect the calculation of the exposure cost 
measure and is therefore indefinite. 



Claim Rejections - 35 USC § 101 
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11. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title. 

Claims 1-5 are rejected under 35 U.S.C. 101 because the claimed invention is 
directed to non-statutory subject matter. 

Claims 1-5 are rejected under 35 U.S.C. 101 based on Supreme Court 
precedent, and recent Federal Circuit decisions, the Office's guidance to examiners is 
that a § 101 process must (1 ) be tied to another statutory class (such as a particular 
apparatus) or (2) transform underlying subject matter (such as an article or materials) to 
a different state or thing. Diamond v. Diehr, 450 U.S. 175, 184(1981); Parker v. Flook, 
437 U.S. 584, 588 n.9 (1978); Gottschalk v. Benson, 409 U.S. 63, 70 (1972); Cochrane 
v. Deener, 94 U.S. 780,787-88 (1876). If neither of these requirements is met by the 
claim, the method is not a patent eligible process under 35 U.S.C. 101 and is non- 
statutory subject matter. 

An example of a method claim that would not qualify as a statutory process 
would be a claim that recited purely mental steps. Thus, to qualify as a § 101 statutory 
process, the claim should positively recite the other statutory class (the thing or product) 
to which it is tied, for example by identifying the apparatus that accomplishes the 
method steps, or positively recite the subject matter that is being transformed, for 
example by identifying the material that is being changed to a different state. Dependent 
claims 2-5 merely add further details of the workflow selection method recited in claim 1 
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without including any tie to another statutory category nor any transformation of subject 
matter into a different state or thing. 

Here, applicant's method steps, fail the first prong since they are not tied to 
another statutory class and can be performed without the use of a particular apparatus. 
Thus, claims 1-5 are non-statutory since they may be performed within the human mind. 

Claim Rejections - 35 USC § 103 

12. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

1 3. Claims 1 -1 5 are rejected under 35 U.S.C. 1 03(a) as being unpatentable over 
Chan et al. (US Patent #6,889,375) in view of Hung Chak Kuen Patrick's "Secure 
Workflow Model" (published April 2001 and previously provided as reference 1-V, 
hereinafter referred to as Patrick) and further in view of Michael zur Muehlen's 
"Workflow-based Process Controlling - Or: What You Can Measure You Can Control" 
(herein provided as reference 1-U, hereinafter referred to as Muehlen). 

As per claim 1 , Chan et al. teaches a method for selecting a workflow, said 
method comprising the steps of: 
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(a) constructing a set of possible workflows meeting a workflow specification 
having a predetermined input and a required output, using components having defined 
inputs and outputs (A display 148 presents icons representing workflows 108 and 
workflow steps 109 in an editor window 150, enabling a user to easily create and 
edit workflows 108. Contracts 102a specify interactions between design-time 
container 110 and workflows 108 and workflow steps 109 typically by describing 
service that design-time container is to provide to workflow steps 109. For 
example, a contract 102a specifies that design-time container 110 is to retrieve 
workflow steps 109 for workflow 108 by associating workflow 108 with the 
retrieval of workflow steps 109. Another contract 102a specifies that design-time 
container 110 is to retrieve input data from a user for workflow step 109 by 

associating workflow step 109 with the retrieval of input data Application 

server 128 includes a workflow repository 132, a workflow administrator 130, and 
run-time container 112. Workflow repository 132 stores workflows 108 and 
contracts 102c associated with the workflows. Contracts 102c specify 
interactions between workflows 108 and workflow steps 109. For example, a 
workflow step 109 is designed to retrieve a file and includes a file name variable. 
An instantiation of workflow 108, called a task, supplies the file name value to be 
used for the file name variable. A contract 102 specifies the file by associating the 
file name variable of workflow step 109 and the file name value of the task) 
[Column 3, lines 28-39, 45-55]; 
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Although not explicitly taught by Chan et al., Patrick teaches the steps of: 

(b) calculating a exposure measure for each of the possible workflows in the 
set of possible workflows (Security Risk Factor - the maximum number of tasks 
done by any one agent. Essentially, the SRF measure the level of risk associated 
with a set of agents executing a group of inter-dependent tasks; Security Risk 
Factor... is based on evenly distributing the tasks over a set of agents with the 
condition that all the agents are capable of executing all the tasks and all of them 
can access the documents with the different privileges needed by each task.... 
We introduce the concept of Security Risk Value and incorporate it into SRF. SRV 
is a value from 0 to 1 .0 that indicates the level of risk. The higher the value, the 
higher is the risk) [pages 73, 79, 96]; and 

(c) selecting the constructed set of possible workflows for which the exposure 
measure is calculated to be a minimum (When statically assigning tasks (and the 
associated privileges) to agents, the principle of least privilege dictates that each 
agent should be granted as few privileges as possible, under the constraint that 
all tasks can be done) [Page 73]. 

Chan et al. is directed towards creating and developing workflows based on 
contracts that specify the relationship between workflows and workflow steps (i.e., 
workflow specification), whereas Patrick is directed towards considering access control 
security in providing the development of secure workflow. Thus, both Chan et al. and 
Patrick are deemed to be related towards different aspects of workflow development. 



Application/Control Number: 10/729,814 Page 15 

Art Unit: 3623 

Therefore, it would have been obvious to one of ordinary skill in the art at the time of 
invention to modify the teachings of Chan et al. to include the steps of calculating the 
exposure measure of each workflow and selecting the workflow with the smallest 
(minimum) exposure measure, as taught by Patrick, because doing so enhances the 
teachings of Chan et al. by integrating the concept of least privilege, granting only those 
privileges that are necessary to accomplish the task at hand, in order to provide the 
resultant high degree of security, facilitate hamper-free execution of workflows, and 
provide mechanisms to design systems that meet user's requirements for maintaining a 
high degree of security while getting workflows executed, as taught by Patrick [pages 
66-67]. 

The combined teachings of Chan et al. and Patrick do not explicitly teach an 
exposure cost measure being based upon, in part, details of critical information that is 
temporarily stored between processing steps within each of said possible workflows. 

However, Muehlen teaches the step of measuring the cost of a workflow based 
on performance measurement (e.g., response time, system load, etc.) and 
organizational efficiency (e.g., idle times, workload analysis, etc.) [page 62], and 
measuring the value of processes, including reduced processing times (personnel cost) 
and reduced storage costs [page 65]. Muehlen also teaches using the timestamp of 
state-changes regarding processes and activities of a workflow to compute process 
cycle times, lay- and idle-times (i.e., unused or "temporarily stored" resources) as well 
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as activity processing times and their deviations [pages 66 and 70]. Muehlen teaches 
that typical cost criteria would be the costs for the handling of an object [page 72]. 

Muehlen is directed towards providing measures to evaluate workflow-based 
processes, whereas Chan et al. is directed towards creating and developing workflows 
based on contracts that specify the relationship between workflows and workflow steps 
(i.e., workflow specification), and Patrick is directed towards considering access control 
security in providing the development of secure workflow. Thus, Chan et al., Patrick and 
Muehlen are deemed to be related towards different aspects of workflow development, 
and therefore, analogous. Therefore, it would have been obvious to one of ordinary skill 
in the art at the time of invention to modify the combined teachings of Chan et al. and 
Patrick to calculate the exposure cost of a workflow using the information that is 
temporarily stored between processing steps, because doing so would enable the 
selection of the cheapest/fastest/most effective resource that satisfies certain 
qualification criteria, as taught by Muehlen [page 72]. 

As per claim 2, Chan et al. teaches the method as claimed in claim 1, further 
comprising the step of storing a library of components from which possible workflows 
can be constructed (The display may include a palette of workflow steps 109 that 
may be selected to build or edit a workflow 108 by, for example, a drag-and-drop 
operation. Design-time container 110 retrieves workflow steps 109 from workflow 
library 111 and inserts them into workflow 108 as a user designs workflow 108; 
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Palette window 156 provides a list of the workflow steps 109 available for 
designing workflows 108. Workflow steps 109 may be placed in folders to 
organize the steps 109) [Column 3, lines 21-27, Column 6, lines 14-22]. 

As per claim 3, although not explicitly taught by Chan et al., Patrick teaches the 
method as claimed in claim 1 , further comprising the step of defining said exposure cost 
measure to be representative of an amount of information that a constructed workflow 
exposes (We define Security Risk Factor to be the maximum number of tasks 
done by any one agent) [Page 73]. 

Chan et al. is directed towards creating and developing workflows based on 
contracts that specify the relationship between workflows and workflow steps (i.e., 
workflow specification), whereas Patrick is directed towards considering access control 
security in providing the development of secure workflow. Thus, both Chan et al. and 
Patrick are deemed to be related towards different aspects of workflow development. 
Therefore, it would have been obvious to one of ordinary skill in the art at the time of 
invention to modify the teachings of Chan et al. to include the steps of calculating the 
exposure measure of each workflow and selecting the workflow with the smallest 
(minimum) exposure measure, as taught by Patrick, because doing so enhances the 
teachings of Chan et al. by integrating the concept of least privilege, granting only those 
privileges that are necessary to accomplish the task at hand, in order to provide the 
resultant high degree of security, facilitate hamper-free execution of workflows, and 
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provide mechanisms to design systems that meet user's requirements for maintaining a 
high degree of security while getting workflows executed, as taught by Patrick [pages 
66-67]. 

As per claim 4, Chan et al. does not explicitly teach the method as claimed in 
claim 1, further comprising the step of defining said exposure cost measure to be 
representative of a duration for which a constructed workflow exposes information. 

Patrick discusses the concept of least privilege, where users are given access 
privileges only long enough to perform the task assigned to them (ideally, the agent 
would be allowed to write d only when he is actively engaged in task t. In the 
workflow, the agent who is assigned to the task dynamically (i.e., at runtime) is 
granted the least privileges to the documents required for the execution of the 
task. Therefore, the agent can access those required documents during the 
execution of the task. These privileges are then revoked from the agent after it 
has finished performing the task) [Pages 81-82], and provides quantifiable measures 
regarding the exposure of a workflow (We define Security Risk Factor to be the 
maximum number of tasks done by any one agent) [Page 73], but does not explicitly 
teach the step of defining an exposure measure as representative of a duration for 
which a constructed workflow exposes information. 
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However, Official Notice is taken that using quantifiable methods to measure 
data describing the state or performance of a system or process, such as length, 
duration, or amount of an event or output, is old and well known in the art. For example, 
Muehlen teaches the use of quantifiable measures to monitor workflow processes, 
including processing, transport, idle and cycle times (i.e., a duration of time for the 
process) [pages 65, 66, 70]. 

Muehlen is directed towards providing measures to evaluate workflow-based 
processes, whereas Chan et al. is directed towards creating and developing workflows 
based on contracts that specify the relationship between workflows and workflow steps 
(i.e., workflow specification), and Patrick is directed towards considering access control 
security in providing the development of secure workflow. Thus, Chan et al., Patrick and 
Muehlen are deemed to be related towards different aspects of workflow development, 
and therefore, analogous. Therefore, it would have been obvious to one of ordinary skill 
in the art at the time of invention to modify the teachings of Chan et al. to define an 
exposure measure of each workflow as representative of a duration for which a 
workflow exposes information, because doing so enhances the teachings of the concept 
of least privilege, as taught by Patrick, by providing a quantifiable measure that allows a 
quantifiable comparison of exposure duration for benchmarking and establishing 
maximum thresholds as a basis for redesigning workflow to become more secure and 
abide by the principle of least privilege taught by Patrick, and further enables 
organizations to focus their risk management efforts strategically by quantifying and 
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demonstrating improvement and enhanced security of workflows, and tracking 
performance over time, and further because doing so would enable the selection of the 
cheapest/fastest/most effective resource that satisfies certain qualification criteria, as 
taught by Muehlen [page 72]. 

Further, one of ordinary skill in the art would have recognized that applying the 
known technique of applying quantitative measures to the teachings of Chan et al. and 
Patrick would have yielded predictable results because the level of ordinary skill in the 
art demonstrated by the references applied shows the ability to incorporate quantitative 
measures describing the exposure "measure". Further, applying a quantitative measure 
to measure the length or duration of time information is exposed would have been 
recognized by those of ordinary skill in the art as resulting in an improved system that 
would allow more quantifiable comparison of exposure duration for benchmarking and 
establishing of maximum thresholds as a basis for redesigning workflow to become 
more secure and abide by the principle of least privilege taught by Patrick, enabling 
organizations to focus their risk management efforts strategically by quantifying and 
demonstrating improvement and enhanced security of workflows, and tracking 
performance over time. 

As per claim 5, although not explicitly taught by Chan et al., Patrick teaches the 
method as claimed in claim 1, further comprising the step of defining said exposure cost 
measure to be representative of an amount of information that a constructed workflow 
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exposes (We define Security Risk Factor to be the maximum number of tasks 
done by any one agent) [Page 73]. 

Chan et al. is directed towards creating and developing workflows based on 
contracts that specify the relationship between workflows and workflow steps (i.e., 
workflow specification), whereas Patrick is directed towards considering access control 
security in providing the development of secure workflow. Thus, both Chan et al. and 
Patrick are deemed to be related towards different aspects of workflow development. 
Therefore, it would have been obvious to one of ordinary skill in the art at the time of 
invention to modify the teachings of Chan et al. to include the steps of calculating the 
exposure measure of each workflow and selecting the workflow with the smallest 
(minimum) exposure measure, as taught by Patrick, because doing so enhances the 
teachings of Chan et al. by integrating the concept of least privilege, granting only those 
privileges that are necessary to accomplish the task at hand, in order to provide the 
resultant high degree of security, facilitate hamper-free execution of workflows, and 
provide mechanisms to design systems that meet user's requirements for maintaining a 
high degree of security while getting workflows executed, as taught by Patrick [pages 
66-67]. 

Patrick discusses the concept of least privilege, where users are given access 
privileges only long enough to perform the task assigned to them (ideally, the agent 
would be allowed to write d only when he is actively engaged in task t. In the 
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workflow, the agent who is assigned to the task dynamically (i.e., at runtime) is 
granted the least privileges to the documents required for the execution of the 
task. Therefore, the agent can access those required documents during the 
execution of the task. These privileges are then revoked from the agent after it 
has finished performing the task) [Pages 81-82], and provides quantifiable measures 
regarding the exposure of a workflow (We define Security Risk Factor to be the 
maximum number of tasks done by any one agent) [Page 73], but does not explicitly 
teach the step of defining an exposure measure as representative of a duration and 
amount for which information is exposed for a constructed workflow. 

However, Official Notice is taken that using quantifiable methods to measure 
data describing the state or performance of a system or process, such as length, 
duration, or amount of an event or output, or a combination of multiple descriptive 
measures, is old and well known in the art. For example, Muehlen teaches the use of 
quantifiable measures to monitor workflow processes, including processing, transport, 
idle and cycle times (i.e., a duration of time for the process) [pages 65, 66, 70], and 
further teaches that workflow monitoring can comprise a combination of both technical 
and organizational monitoring, wherein technical monitoring is used for performance 
measurement (e.g., response time, system load, etc.) and organizational monitoring 
measures the organizational efficiency (e.g., idle times, workload analysis, etc.) [page 
62]. 
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Muehlen is directed towards providing measures to evaluate workflow-based 
processes, whereas Chan et al. is directed towards creating and developing workflows 
based on contracts that specify the relationship between workflows and workflow steps 
(i.e., workflow specification), and Patrick is directed towards considering access control 
security in providing the development of secure workflow. Thus, Chan et al., Patrick and 
Muehlen are deemed to be related towards different aspects of workflow development, 
and therefore, analogous. Therefore, it would have been obvious to one of ordinary skill 
in the art at the time of invention to modify the teachings of Chan et al. to define an 
exposure measure of each workflow as representative of a duration for which a 
workflow exposes information, because doing so enhances the teachings of the concept 
of least privilege, as taught by Patrick, by providing a quantifiable measure that allows a 
quantifiable comparison of exposure duration for benchmarking and establishing 
maximum thresholds as a basis for redesigning workflow to become more secure and 
abide by the principle of least privilege taught by Patrick, and further enables 
organizations to focus their risk management efforts strategically by quantifying and 
demonstrating improvement and enhanced security of workflows, and tracking 
performance over time, and further because doing so would enable the selection of the 
cheapest/fastest/most effective resource that satisfies certain qualification criteria, as 
taught by Muehlen [page 72]. 

Further, one of ordinary skill in the art would have recognized that applying the 
known technique of applying quantitative measures to the teachings of Chan et al. and 
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Patrick would have yielded predictable results because the level of ordinary skill in the 
art demonstrated by the references applied shows the ability to incorporate quantitative 
measures describing the exposure "measure". Further, applying a quantitative measure 
to measure the length or duration of time information is exposed would have been 
recognized by those of ordinary skill in the art as resulting in an improved system that 
would allow more quantifiable comparison of exposure duration for benchmarking and 
establishing of maximum thresholds as a basis for redesigning workflow to become 
more secure and abide by the principle of least privilege taught by Patrick, enabling 
organizations to focus their risk management efforts strategically by quantifying and 
demonstrating improvement and enhanced security of workflows, and tracking 
performance over time. 

Claim 6 recites limitations already addressed by the rejection of claim 1 above; 
therefore, the same rejection applies. 

Further, the teachings of Chan et al. are embodied as a computer-based system, 
evidenced by its use within a communications network (telecommunications device 
120 communicates with system 104 through a communications network 122 such 
as a local, wide, or global area network, a private branch exchange, a public 
switched telephone network, wired and/or wireless communication links, and/or 
any combination of the previously mentioned communication links) and use of 
software comprising instructions executable by a computer system, evidenced by the 
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use of Java-based programming (Microsoft Windows Foundation Class or Java 
Foundation Class may be used by design-time container 110) and other computing- 
based structures (run-time container, design time container) [Column 2, lines 37-47, 
Column 3, lines 20-21, claim 1]. 

Claim 7 recites limitations already addressed by the rejection of claim 1 above; 
therefore, the same rejection applies. 

Further, the teachings of Chan et al. are embodied within application 
development software embodied in a computer-readable medium [Claim 15]. 

Claim 8 recites limitations already addressed by the rejection of claim 2 above; 
therefore, the same rejection applies. 

Claim 9 recites limitations already addressed by the rejection of claim 3 above; 
therefore, the same rejection applies. 

Claim 10 recites limitations already addressed by the rejection of claim 4 above; 
therefore, the same rejection applies. 

Claim 1 1 recites limitations already addressed by the rejection of claim 5 above; 
therefore, the same rejection applies. 
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Claim 12 recites limitations already addressed by the rejection of claim 2 above; 
therefore, the same rejection applies. 

Claim 13 recites limitations already addressed by the rejection of claim 3 above; 
therefore, the same rejection applies. 

Claim 14 recites limitations already addressed by the rejection of claim 4 above; 
therefore, the same rejection applies. 

Claim 15 recites limitations already addressed by the rejection of claim 5 above; 
therefore, the same rejection applies. 

Conclusion 

14. The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

Shen (US 2003/0212580) teaches management of information flow and workflow 
in medical imaging services by mapping activities to a set of discrete steps in a model 
medical imaging process. Data is collected and tracked and further correlated to at 
least one of the discrete steps in the model and process metrics for performance are 
calculated based upon the correlated data. 
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Cardoso et al.'s "Workflow Quality of Service" (reference 1-V) teaches the use of 
workflow management systems to streamline and automate business processes, 
reengineer their structure, as well as increasing efficiency and reducing costs. 
Workflow quality of service (QoS) represents the quantitative and qualitative 
characteristics of a workflow application necessary to achieve a set of initial 
requirements. Quantitative characteristics can be evaluated in terms of concrete 
measures such as workflow execution time, cost, and quality. Information services QoS 
can be divided in three categories: system centric, process centric, and information 
centric. Cardoso et al. developed a model composed of four dimensions: time, cost, 
fidelity, and reliability. Cost represents the cost associated with the execution of 
workflow tasks and can be broken down into two major components: enactment cost 
and task realization cost. Four measurements are used for workflow time-base 
execution: workflow response time, workflow delay time, minimum workflow response 
time, and workflow response time efficiency. 

Bitzer et al.'s "Workflow Reengineering: A Methodology for Business Process 
Reengineering Using Workflow Management Technology" (reference 1-W) discusses 
three categories of process measurements: effectiveness, efficiency and adaptability. 
Efficiency is a measurement of productivity and level of resource usage and includes 
the cycle completion time, amount of time spent on rework, resources expended per 
unit, and amount of value-added to each product unit. 
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Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to PETER CHOI whose telephone number is (571)272- 
6971 . The examiner can normally be reached on M-F 9-5. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Beth Boswell can be reached on (571) 272-6737. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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